Forefront UAG Troubleshooting: The Application Uses Authorization Rules Based on Claims that Are Not Provided by the Authentication Server

Description—You have configured claims-based authorization for a published application using claim types provided by the AD FS 2.0 authentication server and you receive the following message "The application 'application_name' in trunk 'trunk_name' uses authorization rules based on claim types that are no longer provided by the authentication server. Update the authorization rules using available claim types."

Cause—If the AD FS 2.0 administrator changed the claim types provided by the AD FS 2.0 server, the federation metadata is automatically changed. If you re-retrieved the federation metadata for the AD FS 2.0 repository, the AD FS 2.0 server may no longer provide the claim type that the application is using for authorization.

Solution 1—To change the claim types used for application authorization:

In the Forefront UAG Management console, click the trunk through which the application is published. In the Applications list, click the application, and then click Edit.
On the Application Properties dialog box, click the Authorization tab.
Configure authorization rules based on the claim types provided by the AD FS 2.0 server, click OK, and then activate the configuration.

Solution 2—To change the claim types provided by the AD FS 2.0 server:

On the AD FS 2.0 server in the AD FS 2.0 Management console, go to AD FS 2.0\Service\Claim Descriptions.
In the Claim Descriptions pane, right-click the claim that you want to provide, and click Properties.
On the Properties dialog box, select the Publish this claim description in federation metadata as a claim type that this Federation Service can send check box, and then click OK.
In the AD FS 2.0 Management console, go to AD FS 2.0\Trust Relationships\Relying Party Trusts.
In the Relying Party Trusts list, right-click the Forefront UAG relying party, and then click Edit Claim Rules.
On the Edit Claim Rules dialog box, make sure that the AD FS 2.0 server is configured to send the claim type required by Forefront UAG.
In the Forefront UAG Management console, re-retrieve the federation metadata as described in Configuring an AD FS 2.0 authentication repository, and then activate the configuration.